Netgate is offering COVID-19 aid for pfSense software users, learn more.


There are four types of PPP interfaces:

  • Plain PPP for 3G/4G and modem devices

  • PPPoE for DSL or similar connections

  • PPTP and L2TP for ISPs that require them for authentication.

In most cases these are managed from the interface settings directly, but they can also be edited under Interfaces > Assignments on the PPPs tab.

See also

PPP Logs

PPP (Point-to-Point Protocol) Interface Types

Add or edit a PPP entry as follows:

  • Navigate to Interfaces > Assignments on the PPPs tab

  • Click fa-pencil to edit an existing entry or fa-plus to add a new entry

  • Set the Link Type, which changes the remaining options on the page. The link types are explained throughout the remainder of this section.

PPP (3G/4G, Modem)

The PPP link type is used for talking to a modem over a serial device. This can be anything from a USB 3G/4G dongle for accessing a cellular network down to an old hardware modem for dial-up access. Upon selecting the PPP link type, the Link Interface(s) list is populated with serial devices that can be used to communicate with a modem. Click on a specific entry to select it for use. After selecting the interface, optionally enter a Description for the PPP entry.


The serial device for a modem is not automatically detected. Some modems present themselves as several devices, and the subdevice for the PPP line may be any of the available choices, but start with the last device, then try the first, and then others in between if none of those function.

When configuring a 3G/4G network, the Service Provider options pre-fill other relevant fields on the page.

  • Select a Country, such as United States, to activate the Provider drop-down with known cellular providers in that country

  • Select a Provider from the list, such as T-Mobile, to activate the Plan drop-down.

  • Select a Plan and the remaining fields will be filled with known values for that Provider and Plan

The Service Provider options can be configured manually if other values are needed, or when using a provider that is not listed:

Username and Password

The credentials used for the PPP login.

Phone Number

The number to dial at the ISP to gain access. For 3G/4G this tends to be a number such as 99# or #777, and for dial-up this is usually a traditional telephone phone number.

Access Point Name (APN)

This field is required by some ISPs to identify the service to which the client connects. Some providers use this to distinguish between consumer and business plans, or legacy networks.

APN Number

Optional setting. Defaults to 1 if the APN is set, and ignored when APN is unset.


Security code on the SIM to prevent unauthorized use of the card. Do not enter anything here if the SIM does not have a PIN.


Number of seconds to wait for SIM to discover network after the PIN is sent to the SIM. If the delay is not long enough, the SIM may not have time to initialize properly after unlocking.

Init String

The modem initialization string, if necessary. Do not include AT at the beginning of the command. Most modern modems do not require a custom initialization string.

Connection Timeout

Time to wait for a connection attempt to succeed, in seconds. Default is 45 seconds.

Uptime Logging

When checked, the uptime for the connection is tracked and displayed on Status > Interfaces.

PPPoE (Point-to-Point Protocol over Ethernet)

PPPoE is a popular method of authenticating and gaining access to an ISP network, most commonly found on DSL networks.

To configure a PPPoE link, start by setting Link Type to PPPoE and complete the remainder of the settings as follows:

Link Interface(s)

A list network interfaces that can be used for PPPoE. These are typically physical interfaces but it can also work over some other interface types such as VLANs. Select one for normal PPPoE, or multiple for MLPPP.


An optional text description of the PPP entry

Username and Password

The credentials for this PPPoE circuit. These will be provided by the ISP, and the username is typically in the form of an e-mail address, such as

Service Name

Left blank for most ISPs, some require this to be set to a specific value. Contact the ISP to confirm the value if the connection does not function when left blank.

Configure NULL Service Name

Some ISPs require NULL be sent instead of a blank service name. Check this option when the ISP considers this behavior necessary.

Periodic Reset

Configures a pre-set time when the connection will be dropped and restarted. This is rarely needed, but in certain cases it can better handle reconnections when an ISP has forced daily reconnections or similar quirky behavior.

PPTP (Point-to-Point Tunneling Protocol)

Not to be confused with a PPTP VPN, this type of PPTP interface is meant to connect to an ISP and authenticate, much the same as PPPoE works. The options for a PPTP WAN are identical to the PPPoE options of the same name. Refer to the previous section for configuration information.

L2TP (Layer 2 Tunneling Protocol)

L2TP, as it is configured here, is used for connecting to an ISP that requires it for authentication as a type of WAN. L2TP works identically to PPTP. Refer to the previous sections for configuration information.

Advanced PPP Options

All PPP types have several advanced options in common that can be edited in their entries here. In most cases these settings need not be altered. To show these options, click fa-cog Display Advanced.

Dial On Demand

The default behavior for a PPP link is to immediately connect and it will immediately attempt to reconnect when a link is lost. This behavior is described as Always On. Dial-on-Demand will delay this connection attempt. When set, the firewall will wait until a packet attempts to leave the via this interface, and then it will connect. Once connected, it will not automatically disconnect.

Idle Timeout

A PPP connection will be held open indefinitely by default. A value in Idle Timeout, specified in seconds, will cause the firewall to monitor the line for activity. If there is no traffic on the link for the given amount of time, the link will be disconnected. If Dial-on-Demand has also been set, the firewall will return to dial-on-demand mode.


pfSense® software will perform gateway monitoring by default which will generate two ICMP pings per second on the interface. Idle Timeout will not function in this case. This can be worked around by editing the gateway for this PPP link, and checking Disable Gateway Monitoring.

Compression (vjcomp)

This option controls whether or not Van Jacobson TCP header compression will be used. By default it will be negotiated with the peer during login, so if both sides support the feature it will be used. Checking Disable vjcomp will cause the feature to always be disabled. Normally this feature is beneficial because it saves several bytes per TCP data packet. The option should almost always remain enabled. This compression is ineffective for TCP connections with enabled modern extensions like time stamping or SACK, which modify TCP options between sequential packets.


The tcpmssfix option causes the PPP daemon to adjust incoming and outgoing TCP SYN segments so that the requested maximum segment size (MSS) is not greater than the amount allowed by the interface MTU. This is necessary in most cases to avoid problems caused by routers that drop ICMP “Datagram Too Big” messages. Without these messages, the originating machine sends data, it passes the rogue router then hits a machine that has an MTU that is not big enough for the data. Because the IP “Don’t Fragment” option is set, this machine sends an ICMP “Datagram Too Big” message back to the originator and drops the packet. The rogue router drops the ICMP message and the originator never gets to discover that it must reduce the fragment size or drop the IP Don’t Fragment option from its outgoing data. If this behavior is undesirable, check Disable tcpmssfix.


The MTU and MSS values for the interface may also be adjusted on the interface’s configuration page under the Interfaces menu, such as Interfaces > WAN.

Short Sequence (ShortSeq)

This option is only meaningful if MLPPP is negotiated. It proscribes shorter multi-link fragment headers, saving two bytes on every frame. It is not necessary to disable this for connections that are not multi-link. If MLPPP is active and this feature must be disabled, check Disable shortseq.

Address Control Field Compression (AFCComp)

This option only applies to asynchronous link types. It saves two bytes per frame. To disable this, check Disable ACF Compression.

Protocol Field Compression (ProtoComp)

This option saves one byte per frame for most frames. To disable this, check Disable Protocol Compression.